Andrej Radinger Windows Phone Development MVP [email protected] Windows Phone 8 Enterprise Mobile Device Management (MDM) October 23 rd 2013
Jan 12, 2015
Andrej RadingerWindows Phone Development MVP
Windows Phone 8 Enterprise Mobile Device Management (MDM)
October 23rd 2013
Topics
• Introduction• Windows Phone Applications 8 in the Enterprise• Windows Phone 8 Devices in the Enterprise• Building a Company Hub
Introduction
End Users are in the driver seat!
• 59% of employees use mobile devices to run LOB apps2
• 91% of employed adults use personally owned device for business use1
• Currently 150 million employees is using their own smartphones and tablets in the office (BYOD)3
• BYOD until 2014 >50%3
1 Survey conducted by Harris Interactive, Feb 20122 Symantec, State of Mobile Computing Survey, Jan 2012
3 Juniper Research, 20124 Forrester, Jan 2012
IT department loosing control!• 72% organizations have tablets in use without formal deployment.
• 40% of IT decision makers say they let workers access corporate information from BYOD devices, but 70% of employees indicated they access corporate networks this way2
• <10% of organization are fully aware of devices accessing their network3
• 50% companies experiences data breaches due to unsecure devices4
• Corporate IT policies that ban the use of employee-owned devices in the name of security inadvertently create new security holes6
1 Dimensional Research|May 20112 IDC, 2011 3 SANS Annual Mobile Security Survey, April 2012
4 Ponemon and WebSense sur4vey, 20125 Symantec, State of Mobile Computing Survey, Jan 20126 Dell, 2011
Mobile Devices in Enterprise Today
• The use of personally owned devices growingBy 2016 … or just 3 years from now:– +10 billion mobile-connected devices (1.4 mobile devices per capita) – Cisco, Feb. 2012– Smart connected devices (PCs, tablets and smartphones) shipments reach 1.84 billion units – IDC, Mar. 2012– 1 billion consumers will have smartphones - Forrester, Feb 2012
• BYOD usage is a reality and growing ”Currently 150 million employees is using their own smartphones and tablets in the office. This number is predicted to rise to 350 million by 2014” Mobile Security Strategies: Threats, Solutions & Market Forecasts 2012-2017 (Juniper Research, 2012)
• IT is not in control„40% of IT decision makers say they let workers access corporate information from employee-owned devices, but 70% of employees indicated they access corporate networks this way”
Consumerization of IT Study: Closing the “Consumerization Gap” (IDC, 2011 )
• Restrictive policies are not the answer„Corporate IT policies that ban the use of employee-owned devices in the name of security inadvertently create new security holes.”
CIO Strategies for Consumerization: The Future of Enterprise Mobile Computing (Dell, 2011)
TOP IT Mobility ChallengeCost effectively secure and manage the multiple devices in the Enterprise
MDM Overview
• MDM addresses TOP IT Mobility Challenges• Fairly new solution area – consolidation & major shifts still ongoing• Common elements that MDM solutions include:
– Policy Management– Inventory Management– Security Management– Device Service Management• Device Software Distribution
• Key attributes of high quality MDM solution:– High level of automatization– High quality reporting– Integration with existing security and management systems– Right balance of „User Experience vs. Security”
• Few things to keep in mind: – Some device platforms will limit manageability (due to manufacturer design)– Android platform support is difficult (due to platform fragmentation)– Most MDM solutions focused on major device platforms (WP, iOS, Andorid), limited or no support
for other platforms not uncommon
Windows Phone apps 8 in the Enterprise
Companies control which phones may run their appsEnterprise apps may install and run only on phones that are enrolled with the associated enterprise
Companies control the lifecycle of their appsNo ongoing interaction from Microsoft
Companies control the deployment and distributionIt’s highly recommended to authenticate users prior to app enrollment and app deployment
Enable companies to deploy business applications to their employees privately and securely.
App installs require user confirmationUpdates of existing apps can be done silently
Companies can inventory only their own appsMarketplace apps, user settings, and other enterprise data is not available
The phone’s unique identifier is per-publisherPublishers cannot correlate user data with other publishers or companies
Enable end users to feel in control while preserving a company’s right to protect their data.
Windows Phone Applications in the Enterprise
• Windows 8 allows enterprises to configure enterprise wide application distribution
• The enterprise can create and distribute Windows Phone applications without requiring them to be approved by the Microsoft Windows Store
• User phones can either be managed or unmanaged– Very high level of control over a managed phone– An unmanaged phone can be used in a “Bring Your Own Device” mode
• An Enterprise can create its own Application Hub which can be made available on managed devices
Enterprise Applications
• An Enterprise Application does not have any more access to the underlying device than a “normal” one
• It does not have to pass the Marketplace certification– This could result in less reliable/harder to use applications being published
by an enterprise– Enterprises are advised to use the Marketplace Test Kit to internally
validate applications before making them available• Capabilities are enforced on the device – For example if an application needs to use the location service the user
will be asked for permission when the application is first run
Creating Enterprise Applications
• An Enterprise can use its keys to sign applications that are then posted in its own application store
• Devices are “enrolled” to allow them to install and run applications from the Enterprise
• An Enterprise “token” is loaded onto the device when it is enrolled
• This allows it to allow it to validate enterprise applications• Enterprise applications are published directly by the Enterprise,
they are not subjected to any Marketplace certification
Enterprise Client Application Example
• Microsoft have created an internal application hub that provides corporate information alongside other information
Enterprise Registration• An Enterprise must register with the Windows Phone Developer Center if it
wants to distribute enterprise applications to selected devices– Microsoft provides the Enterprise with a set of tools that can be used to create
applications for deployment within the Enterprise– Microsoft informs VeriSign that the Enterprise is registering
• Once the Enterprise has approved VeriSign will issue a certificate for the key pair to be used by the Enterprise to sign applications
• This creates a new Enterprise Root and Certification Authority which is trusted by the Windows Phone 8 security system– Can be used to sign applications that can be deployed onto Windows Phones 8
devices
Overview
Company
MicrosoftSymantec
12
3 5
4 6
7
8
• Must be a Company account• Publisher name displayed on phone
• Company approval required• Private key, CSR, cert are local to PC
Account creation and cert acquisition
Enterprise certificate
IssuerValidity period
Publisher name
Publisher ID
Enterprise apps EKU
• App enrollment token (AET) is generated once per year
• Delivered to the phone over an authenticated channel via email, browser, or MDM
• Validated for signature and expiration
App enrollment
Enterprise Service
2
1AET
PublisherID
Windows Phone 8
Email/Browser/MDM
2
3
• App is signed using tools in the WP SDK 8.0
• Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub
• Validated for signature, an associated AET, and allowed capabilities
App deployment
Enterprise Service
2
1
Windows Phone 8
Email/Browser/MDM/Company Hub2
3
XAP
• User launches an enterprise app via the shell or an API
• Publisher ID is extracted and used to find the associated AET
• AET must be valid and not revoked or disabled
App launch
Enterprise Service
Windows Phone 8
Execution Manager
2
3
1
• Phone sends device ID, publisher IDs, and enterprise app IDs
• Phone receives status for each enterprise
• Apps of invalid enterprises are blocked from being installed or launched
• Scheduled daily, plus each enrollment and app install
• After 7 consecutive failed attempts, install of enterprise apps is blocked, but launch of installed apps still works
Phone homeWindows
Phone Services
1 2
• Response
Request
Phone home – sample protocol
Windows Phone 8 Devices in the Enterprise
The Enterprise and Windows Phone Devices
• If the Enterprise just wants to distribute their applications to selected phones they just need to register to do this– They will sign the XAP files of their applications with their Enterprise certificate
• An Enterprise can also deploy “managed” Windows Phone 8 devices• A “managed” Windows Phone 8 device is under much more direct control
from the enterprise• System management tools are provided that allow the phone to be
remotely managed– Applications can be installed and revoked– Data can be remotely deleted
Unmanaged and Managed devices
• An Enterprise can interact with “managed” and “unmanaged” Windows Phone 8 devices
• An Unmanaged phone (which might be a Bring Your Own Device) is one that is not integrated into the management regime in the Enterprise– The user of an Unmanaged phone has control over which applications are loaded
onto the phone and what phone capabilities that the applications have• An Enterprise has a high level of control over a Managed phone
– The Enterprise can automatically deploy and revoke applications on the phone– An Enterprise can remotely delete data from a Managed phone
Managed vs Unmanaged Phones
Feature Unmanaged Phone Managed Phone
Device encryption Yes Yes
Private app distribution Yes Yes
Policy management No Yes
App Management No Yes
App un-enrollment No Yes
Remote delete of business data No Yes
Company Hub APIs Yes Yes
Device Enrolment
• The Enterprise can distribute applications to Managed and Unmanaged Windows Phone 8 devices– A device must be “enrolled” so that it can run Enterprise applications– This provides it with an enrolment token that can be used to open
XAP files that have been signed by the Enterprise– This is a “one time” action
• Managed phones are automatically enrolled to the Enterprise• An Unmanaged phone must be enrolled before it can run the
applications
Enrolling an Unmanaged Phone
• There are a number of ways that an unmanaged phone can be enrolled:– Send the phone the token using an email secured by IRM (Internet Rights
Management)– Email a message containing a web link to the token – the user must authenticate on
the web site before being given the token• Once the phone has been enrolled into the enterprise the user can
download and run enterprise applications• Enrolment does not affect any other aspects of phone use
– It does not allow remote management of the enrolled phone• Microsoft does not provide tools to track the number of unmanaged phones
that have been enrolled
Enrolment on Managed and Unmanaged DevicesFeature Unmanaged Phone Managed Phone
App enrollment By attachment in emailVia web link Integrated with device enrollment
Enterprise app store Implemented by Enterprise IT Provisioned bySystem Center
Enterprise client install By attachment in IT email or by web download Integrated with device enrollment
App inventory Implemented by Enterprise IT Provisioned bySystem Center
App un-enrollment N/A Integrated with deviceun-enrollment
Containment Low High